Define an index name when the file is already created

How can i create an index in elasticsearch when a file is already created and it contains logs?

the path is /var/log/tcp.log and i want to call the index "tcp"

Apr 5 16:11:01 T30_PABLO (2018-04-05T14:11:01) http-proxy[2072]: msg_id="1AFF-0021" Allow 1-Trusted 4-Embou tcp [MY PUBLIC IP ADDRES] 43832 80 msg="ProxyAllow: HTTP Request categories" proxy_act="HTTP-Client.Standard.1" cats="Uncategorized" op="GET" dstname="" arg="/api/v1/third/flushdata" (HTTP-proxy-00)

I'm not sure about your question.

Is it a filebeat question? And elasticsearch question?
Something else?

What prevents you to use tcp as the index name?

An elastic one.

And I use "tcp" because later on i will index my udp ones so...

I don't understand then the relationship with a file named /var/log/tcp.log...

To index a document in elasticsearch you basically run:

POST tcp/_doc
  "message": "Apr 5 16:11:01 T30_PABLO (2018-04-05T14:11:01) http-proxy[2072]:..."

Ok. Thank you.

Helps a lot even if you dont think so. :slight_smile:

And do you know how I can index depending on the msg_ids because those msg_ids means different types of attack. Because maybe it will be better if I index my logs based on their msg_id I don´t know :confused:


PUT tcp/_doc/1AFF-0021
  "message": "Apr 5 16:11:01 T30_PABLO (2018-04-05T14:11:01) http-proxy[2072]:..."

I do not mean that specifically. Because I get an excessive amount of logs, then indexing them by msg_id would be the best way, but the way you show me I would index a message and not a bunch of them. Because I've passed you the way the logs arrive.

Again, I have no idea of what you are doing.

But have a look at

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.